How to get only first 3 events as a result for ea...

thezero · ‎10-27-2014

I am attempting to get first 3 events for each user field for which user count>3.

Basically what I am looking for is

1)Get stats count for user field out of all data

2)Identify events for which user count>3

3)Get only top 3 users out of all data for - user count>3

4)and final result which display only first 3 events for each user

for below query I am getting user count and top 3 users with max count.

index=windows | stats count by user | sort - count | head 3 |where count>3

result:

User count

User1 8
user2 4
user3 6

I want final result as 9 events---->containing first 3 events for each user.

Could you please advice?

jitsinha · ‎11-10-2014

try | head 3 after your search query

thezero · ‎11-10-2014

H Gkanapathy,

Thanks for the asnswer but its still showing only 3 results 😞

Regards,
Rahul

gkanapathy · ‎10-28-2014

Ah I see you've modified your question. Then perhaps:

index=windows [ search index=windows | top limit=3 showperc=f user | where count > 3 ] | eventstats count by user | dedup 3 user sortby - count

Jeff_Lightly_Sp · ‎10-28-2014

Does this get close to what you need? i just used 'eventtype' as an example.

index=windows | stats count by user,eventtype | sort - user,eventtype | where count > 3 | top limit=3 eventtype by user

davebrooking · ‎10-28-2014

I think the streamstats command is what you may need to use to rank the events - take a look at this answer, I believe it should point you in the right direction

Dave

gkanapathy · ‎10-27-2014

index=windows | top limit=3 user | where count > 3

0YAoNnmRmKDg · ‎10-27-2014

try this

index=windows | stats count by user | where count>3 | top 3

otherwise try expanding your question a bit - its a little hard to follow...

How to get only first 3 events as a result for each event/Field?

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud